I am using Ruby on Rails 3 and I would like to send ’email’ and ‘password’ values (I know, I should not, but I need that) over the HTTP protocol. I need to send user credentials from a my client application to a my service application*.

I can use a public a private RSA key to accomplish that but, if so, I must don’t send the public key to the recipient over HTTP, otherwise an hacker can steal the key and decrypt contents. On other hands, the HMAC encryption (if I understood that) is good only to verify the data integrity and the authenticity of a message.

I heard of AES… is it good for my purposes? If so, where I can find a tutorial on how to use that with Ruby\Ruby on Rails? I “simply” need to encrypt user credentials on the client side and decrypt that on the server side.

P.S. I: If I’m wrong about something I wrote, let me know.

P.S. II: If you suggest other methods, let me know!

UPDATE I

*The client is a web application (a site web, for example ‘www.site1.com), the server is another web application (another site web, for example ‘www.site2.com).

UPDATE II

Using RSA encryption…

Client-I-service steps:

1. Client generates public\private key paris

2. I (a real person) copy-paste manually the public key from the client to the service

3. Client sends to the service the message including encrypted user credential (client doesn’t send\append the public key to the HTTP request)

4. Service, using the public key (that only the service knows), decrypts user credentials and proceed to the login of the user

Now, if I send the public key instead of doing the step 2, and so the client must send the public key in step 3 over the HTTP protocoll, an hacker can

1. intercept the message

2. take the public key

3. decrypt the user credentials and steal those

So, should I encrypt user credential (those are important and private information) using a RSA encryption if I send the public key to the service?